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Abstract. We describe a space-efficient algorithm for solving a generalization 
of the subset sum problem in a finite group G, using a PoUard-p approach. 
Given an element z and a sequence of elements S, our algorithm attempts 
to find a subsequence of S whose product in G is equal to z. For a random 
sequence S of length dlog2n, where n = #G and d ^ 2 is a constant, we 
find that its expected running time is 0{\/n\o^n) group operations (we give 
a rigorous proof for d > 4), and it only needs to store 0(1) group elements. 
We consider applications to class groups of imaginary quadratic fields, and to 
finding isogenics between elliptic curves over a finite field. 



1. Introduction 

Let S' be a sequence of elements in a finite group G of order n, written multi- 
plicatively. We say tfiat S represents G if every element of G can be expressed as 
the (ordered) product of a subsequence of S. Ideally, we want S to be short, say 
k = dlog2 n for some constant d known as the density of S. 

In order for S to represent G, we clearly require d ^ 1, and for sufficiently large n, 
any d> \ suffices. More precisely, Babai and Erdos 3J show that for all 

k ^ log2 n + log2 log n + 2 

there exists a sequence S of length k that represents G. Their proof is non- 
constructive, but, in the case that G is abelian, Erdos and Renyi show that a 
randomly chosen sequence of length 

k — log2 n + log2 log n -f a;„ 

represents G with probability approaching 1 as n cx3, provided that w„ — >■ cxi. 
The randomness assumption is necessary, since it takes much larger values of k to 
ensure that every sequence of length k represents G, see pi 133] . 

In related work, Impagliazzo and Naor prove that for a random sequence S of 
density d > 1, the distribution of subsequence products almost surely converges to 
the uniform distribution on G as n goes to infinity (15l Proposition 4.1]. This result 
allows us to bound the complexity of our algorithm for almost all S with d > 4. 

Given a sequence S that represents G (or a large subset of G) , we wish to find an 
explicit representation of a given group element z as the product of a subsequence 
of 5; we call this a short product representation of z. In the special case that G 
is abelian and the elements of S are distinct, this is the subset sum problem in a 
finite group. Variations of this problem and its decision version have long been of 
interest to many fields: complexity theory [T7], cryptography PU], additive number 
theory [3] , Cayley graph theory [5] , and information theory [T] , to name just a few. 
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As a computational framework, we work with a generic group G whose elements 
are uniquely identified, and assume that all group operations are performed by a 
black box that can also provide random group elements; see |301 Chapter 1] for a 
formal model. Time complexity is measured by counting group operations (calls to 
the black box), and for space complexity we count the number of group elements 
that are simultaneously stored. In most practical applications, these metrics are 
within a polylogarithmic factor of the usual bit complexity. 

Working in this model ensures that our algorithms apply to any finite group for 
which a suitable black box can be constructed. It also means that finding short 
product representations is provably hard. Indeed, the discrete logarithm problem 
in a cyclic group of prime order has a lower bound of Q.{^/n) in the generic group 
model 26J, and is easily reduced to finding short product representations. 

In the particular group G = "L/nL^ we note that finding short product rep- 
resentations is easier for non-generic algorithms: the problem can be lifted to k 
subset sum problems in Z, which for suitable inputs can be solved with a time and 
space complexity of 0{tiP-^^^^) via [14], beating the Q:{^/n) generic lower bound 
noted above. This is not so surprising, since working with integers is often easier 
than working in generic groups; for instance, the discrete logarithm problem in Z 
corresponds to integer division and can be solved in quasi-linear time. 

A standard technique for solving subset sum problems in generic groups uses 
a baby-step giant-step app roach, which can also be used to find short product 



representations (Section 2.1). This typically involves 0{2^/'^) group operations and 
storage for 0(2*"'/^) group elements. The space bound can be improved to 0{2^/^) 
via a method of Schroeppel and Shamir [24] . 

Here, we give a PoUard-p type algorithm |21| for finding short product represen- 



tations in a finite group (Section 2.2). It only needs to store 0(1) group elements, 
and, assuming is a random sequence of density d > 4, we prove that its expected 
running time is 0{\/n\ogn) group operations; alternatively, by dedicating 0{n'^) 
space to precomputations, the time complexity can be reduced to 0{y/n) (Section[3|. 

We also consider two applications: representing elements of the class group of 
an imaginary quadratic number field as short products of prime ideals with small 



norm (Section 4.2), and finding an isogeny between two elliptic curves defined over a 



finite field (Section 4.3). For the latter, our method combines the advantages of [TT] 
and '121 in that it requires little memory and finds an isogeny that can subsequently 
be evaluated in polynomial time. 

In practice, our algorithm performs well so long as d ^ 2, and its low space 
complexity allows it to feasibly handle much larger problem instances than other 
generic methods (Section [s]) . 



2. Algorithms 

Let S' be a sequence of length fc in a finite group G of order n, let z be an element 
of G, and let 'P{S) denote the set of all subsequences of S. Our goal is to find a 
preimage of z under the product map tt : 1^(3) — > G that sends a subsequence of S 
to the (ordered) product of its elements. 

2.1. Baby-step giant-step. Let us first recall the baby-step giant-step method. 
We may express S — AB as the concatenation of two subsequences of roughly equal 
length. For any sequence y = (yi, . . . , ?/„), let n{y) = (?/^\ . . . , j/f ^), so that 7r(y) 



FINDING SHORT PRODUCT REPRESENTATIONS IN FINITE GROUPS 3 

and 7r(/i(y)) are inverses in G. We then search for x E ViA) (a baby step) and 
y e T'lB) (a giant step) which "colhde" in the sense that tt{x) = Tr{z^{y)), where 
z/i(y) denotes the sequence (z, y~^, . . . , y^^)- 

Baby-step giant-step Algorithm 

Input: A finite sequence S in a group G and a target z £ tt{V{S)). 
Output: A subsequence of S whose product is z. 

1. Express S in the form S = AB with #Ak#B. 

2. For each x S 'P{A), store {■k{x),x) in a table indexed by 7r(a;). 

3. For each y e 75(5): 

4. Lookup TT{z^{y)) in the table computed in Step 2. 

5. If 7r(z/i(y)) = Tr(x) is found then output xy, otherwise continue. 

The table constructed in Step 2 is typically implemented as a hash table, so 
that the cost of the lookup in Step 4 is negligible. Elements of V{A) and V{B) 
may be compactly represented by bit-strings of length \k/2] = O(logn), which is 
approximately the size of a single group element. If these bit-strings are enumerated 
in a suitable order, each step can be derived from the previous step using 0(1) 
group operation^ The algorithm then performs a total of 0(2'^'/^) group operations 
and has a space complexity of 0(2'^/^) group elements. One can make a time-space 
trade off by varying the relative sizes of A and B. 

This algorithm has the virtue of determinism, but its complexity 0{n'^^^) is 
exponential in the density d (as well as logn). For c? > 1, a randomized approach 
works better: select ^/n baby steps x G ViA) at random, then select random giant 
steps y G ViB) until a collision TT{zfi{y)) = tt{x) is found. Assuming that 7r(x) 
and n{zii{y)) are uniformly distributed in G, we expect to use -^/n giant steps. To 
reduce the cost of each step, one may partition A and B each into approximately d 
subsequences Ai and Bi and precompute Tr{x) for all x G V{Ai), and n{fi{y)) for aU 
y G V{Bi). This yields an expected running time of 0{^/n) group operations, using 
storage for 0{y^) group elements, for any fixed d. 

2.2. A low-memory algorithm. In order to use the PoUard-p technique, we need 
a pseudo-random function (j) on the disjoint union C = AuB, where A = ^{A) and B 
is the set {zfi{y) : y G V{B)}. This map ip is required to preserve collisions, meaning 
that tt{x) = 7r(y) implies 7r((/)(a;)) = 7r(0(y)). Given a hash function rj : G C, we 
may construct such a map as (f> = rjoir. Under suitable assumptions (see Section [s]), 
the PoUard-p method can then be applied. 

PoLLARD-p Algorithm 

Input: A finite sequence 5 in a group G and a target z G tt{V{S)). 
Output: A subsequence of S whose product is z. 

1. Pick a random element w £ C and a hash function rj : G ^ C. 

2. Find the least i > and j ^ such that c/y^'+^Xw) = ^(■''(w). 

3. If j = then return to Step 1. 

4. Let s = 0(^+^-1) (w) and let t = (f>'^i-^\w). 

5. If 7r(s) 7^ Tr{t) then return to Step 1. 

6. If s G „4 and t = z^{y) G B then output sy and terminate. 

7. If < G .4 and s — z^{y) G B then output ty and terminate. 

8. Return to Step 1. 



With a Gray code, exactly one group operation is used per stop, see |19| . 
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Step 2 can be implemented with Floyd's algorithm [181 Exercise 3.1.6] using 
storage for just two elements of C, which fits in the memory space of 0(1) group 
elements. More sophisticated collision-detection techniques can reduce the number 
of evaluations of while still storing 0(1) elements, see [TIHSJISI]- We prefer the 
method of distinguished points, which facilitates a parallel implementation |32j . 

2.3. Toy example. Let G = (Z/nZ, +) and define S as the concatenation of the 
sequences A = (3*) and B = (5') for z e {1, . . . , fc/2}. We put n = 127 and k = 12, 
implying d ~ 1.7. With C ~ AU B a,s above, we define -q : G ^ C via 

(^i){i:b.=i} when 6o = 1 
z^jL ((Si){i.fc^=i}) when 6o = 

where X]f=o ^^'^ binary representation of 96x mod n. 

Starting from w = (2, —5^, — S'^, —5^, —5), the algorithm finds i = 4 and j — 6: 

(33,3s) — y (2,-55,-54) (2,_5^-5^-5^-5^-5) — y (3^3'') — > (2.-5') 

T N 
(2,-5^-5^-5^-5) (3,32,3^3=) (3,32,3^-) 

(2, -58, -5^ -5^ -5) « — (2, -52, -5) 

The two preimages of (3^, 3*) yield the short product representation 
2 = 3 + 32 + 3'"^ + S'"^ + 5 + 5^ + 5'' + 5^ + 5^ mod 127. 

3. Analysis 

The Pollard-/9 approach is motivated by the following observation: \i (f) : X ^ X 
is a random function on a set X of cardinality n, then the expected size of the orbit 
of any x ^ X under the action of is yJiTn/2 (see [28] for a rigorous proof). In our 
setting, X is the set C and (/) = 77 o tt. Alternatively, since (p preserves collisions, we 
may regard X as the set 7r(C) C G and use (p = tt orj. We shall take the latter view, 
since it simplifies our analysis. 

Typically the function tp is not truly random, but under a suitable set of assump- 
tions it may behave so. To rigorously analyze the complexity of our algorithm, we 
fix a real number d > 4 and assume that: 

(1) the hash function rj : G —>■ C is a random oracle; 

(2) is a random sequence of density d. 

For any finite set U, let Ujj denote the uniform distribution on U, which assigns 
to each subset A of J7 the value #A/#f7. For any function /:[/—>• let /*Uc/ 
denote the pushforward distribution by / of U[/ , which assigns to each subset Y 
of V the value 

_ MueU: f{u) e Y} 
f*Vu{Y) - ^ . 

Assumption (2) implies that A and B are both random sequences with density 
greater than 2. By Proposition 4.1], this implies that 

Prob^ [Wtt^Va - VgW > n-''\ < n-\ 

where c — (d ~ 2)/4 > 1/2, and the variation distance \\a — r|| between two 
distributions a and t on G is defined as the maximum value of \cr{H) — t{H)\ over 
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all subsets H of G. Similarly, wc have 

Probij [llTT.Ue - UgII ^ ri""] < n"". 

From now on we assume that S is fixed and that tt+Uc is within variation distance 
2n~'^ of the uniform distribution on G; by the argument above, this happens with 
probability at least 1 — 2n~'^. Recall that a random oracle : G — >■ C is a random 
function drawn uniformly from C*^, that is, each value ri[x) is drawn unifornily and 
independently from C. Thus, for any g ^ G, the distribution of TT{rj{g)) is tt^Uc. It 
is then easy to verify that 

II (?7 TT O 77),UcG - Ugg II 2n"^ 

In other words, for a random oracle 77, the function = tt o 77 is very close to being 
a random oracle (from G to G) itself. 

Since c > 1/2, we obtain, as in |2T], an 0{y/n) bound on the expectation of the 
least positive integer i+ j for which ^'^^~^^\g) = Lp'^^\g), for any g = tt{'w) € G. For 
d > 2, the probability that 7r(s) 7^ 7r(t) in Step 5 is o(l), since C is then larger than G 
and collisions in the map (p (and (j)) are more likely to be caused by collisions in tt 
than collisions in 77. Having reached Step 6, we obtain a short product representation 
of z with probability 1/2, since by results of [TS] the value of n{x) is independent of 
whether x € Aor x € B. The expected running time is thus 0{k^Jn) = 0{y/n\ogn) 



group operations, and, as noted in Section 2.2 the space complexity is 0(1) group 



elements. We summarize our analysis with the following proposition. 

Proposition. Let S be a random sequence of constant density d > A and let 
r] : G ^ C be a random oracle. Then our Pollard-p algorithm uses 0{\/nlogn) 
expected group operations and storage for 0(1) group elements. 



As in Section |2.1[ to speed up the evaluation of the product map tt, one may 
partition A and B into subsequences Ai and Bi of length m and precompute ■K{P{Ai)) 
and n{^{V{Bi)). This requires storage for 0(fc2™/m) group elements and speeds up 
subsequent evaluations of tt by a factor of m. If we let m = elog2 n, for any e > 0, 
we obtain the following corollary. 

Corollary. Under the hypotheses of the proposition above, our Pollard-p algorithm 
can be implemented to run in expected time 0{\/n) using 0{n'^) space. 

In our analysis above, we use a random S random with d > 4 to prove that 
products of random elements of A and B are quasi-uniformly distributed in G. If 
we directly assume that both ^T.^,l]_A and Tr^Ug are quasi-uniformly distributed, our 
analysis applies to all d^ 2, and in practice we find this to be the case. However, 
we note that this does not apply to d < 2, for which we expect a running time of 
Q(-^(4-d)/4jQgj^^^ as discussed in Sectionjsj 

4. Applications 

As a first application, let us consider the case where G is the ideal class group of 
an order O in an imaginary quadratic field. We may assume 



D + VD 

O^Z+ 

where the discriminant D is a negative integer congruent to or 1 modulo 4. 
Modulo principal ideals, the invertible ideals of O form a finite abelian group 01(0) 
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of cardinality h. The class number h varies with D, but is on average proportional 
to \/\D\ (more precisely, \ogh ~ ^ log \D\ as D ^ — oo, by Siegel's theorem [27]). 
Computationally, invertiblc O-ideals can be represented as binary quadratic forms, 
allowing group operations in cl(0) to be computed in time 0(log^^'^ via [52]. 

4.1. Prime ideals. Let £i denote the i"^ largest prime number for which there 
exists an invertible O-ideal of norm £i and let ai denote the unique such ideal that 
has nonnegative trace. For each positive integer fc, let Sk denote the sequence of 
(not necessarily distinct) ideal classes 

Sk = ([ai], [02], . . . , [afe]). 

For algorithms that work with ideal class groups, Sk is commonly used as a set 
of generators for cl(0), and in practice k can be made quite small, conjecturally 
O (log ft,). Proving such a claim is believed to be very difficult, but under the 
generalized Riemann hypothesis (GRH), Bach obtains the following result 4;. 

Theorem (Bach). Assume the GRH. If D is a fundamental discriminant and 
ik+i > 61og^ \D\, then the set Sk generates cl(0). 

Unfortunately, this says nothing about short product representations in cl(0). 
Recently, a special case of [16, Corollary 1.3] was considered in [8j Theorem 2.1] which 
still assumes the GRH but is more suited to our short product representation setting. 
Nevertheless, for our purpose here, we make the following stronger conjecture. 

Conjecture. For every do > I there exist constants c > and Dq < such that if 
D ^ Dq and Sk has density d ^ do then 

(1) Tr{V{Sk)) — G, that is, Sk represents G; 

(2) ||^,Up(s,)-Ug|| <ft-^- 

where G is the ideal class group cl(C') and h is its cardinality. 

In essence, these are heuristic analogs to the results of Erdos and Renyi, and of 
Impagliazzo and Naor, respectively, suggesting that the distribution of the classes [cti] 
resembles that of random elements uniformly drawn from cl(C'). Note that (1), 
although seemingly weaker, is only implied by (2) when c > 1. 

Empirically, (1) is easily checked: for dp = 2 we have verified it using Do = — 3 for 
every imaginary quadratic order with discriminant D ^ —10^, and for 10* randomly 
chosen orders with D logarithmically distributed over the interval [—10^^,-10^] 
(see Figure [1]). Although harder to test, (2) is more natural in our context, and 
practical computations support it as well. Even though we see no way to prove this 
conjecture, we assume its veracity as a useful heuristic. 

4.2. Short relations. In [T3] , Hafner and McCurley give a subexponential algorithm 
to find representatives of the form W a^* for arbitrary ideal classes of imaginary 
quadratic orders; the ideals Ui have subexponential norms, but the exponents 
can be as large as the class number h. 

Asking for small exponents € {0, 1} means, in our terminology, writing elements 
z £ G as short product representations on Sk = ([a^]). Under the conjecture above, 
this can be achieved by our low-memory algorithm in 0(|I?|^/*+'^) expected time, 
using k = 0{\ogh) ideals ai. 



Meaning that cither D is square-free, or D/4 is an integer that is square- free modulo 4. 
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class number 

Figure 1. Dots plot the minimal k such that Sk satisfies conjecture (1); 
gray dots for all discriminants D ^ —10* and black dots for ten thousand 
D drawn at random according to a logarithmic distribution. The lines 
represent k — dlogj h for d = 1, 2. 

We can even combine these approaches. If the target element z is represented 
by an ideal of small norm, say z = [ak+i], we get what we call a short relation 
for c\{0). Conjecture (1) implies not only that the map that sends each vector 
(ei, . . . , efe+i) S Z^~^^ to the class of the ideal Yl c^T surjective, but also that there 
exists a set of short relations generating its kernel lattice A. This gives a much 
better upper bound on the diameter of A than was used by Hafner and McCurley, 
and their algorithm can be adapted to make use of this new bound and find, in 
subexponential time, representatives Y[ with ideals ai of subexponential norm 
and exponents bounded by 0(log|I?|). See [5] for details, or [8] for an equivalent 
construction. 

4.3. Short isogenies. Now let us consider the problem of finding an isogeny between 
two ordinary elliptic curves Ei and E2 defined over a finite field Fg. This problem 
is of particular interest to cryptography because the discrete logarithm problem can 
then be transported from Ei to E2. An isogeny between curves Ei and E2 exists 
precisely when Ei and E2 he in the same isogeny class. By a theorem of Tate, this 
occurs if and only if ^Ei(¥q) = ^E2{¥q), which can be determined in polynomial 
time using Schoof's algorithm |23^. 

The isogeny class of Ei and E2 can be partitioned according to the endomorphism 
rings of the curves it contains, each of which is isomorphic to an order O in an 
imaginary quadratic number field. Identifying isomorphic curves with their j- 
invariant, for each order O we define 

Ell(O) = {j{E) : End{E) ^ O} , 

where E denotes an elliptic curve defined over F^. The set £11(0) to which a 
given curve belongs can be determined in subexponential time, under heuristic 
assumptions |6j. An isogeny from Ei to E2 can always be decomposed into two 
isogenies, one that is essentially determined by End(£'i) and End(£'2) (and can be 
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made completely explicit but may be difficult to compute), and another connecting 
curves that lie in the same set £11(0). We shall thus restrict ourselves to the problem 
of finding an isogeny between two elements of Ell(O). 

The theory of complex multiplication states that Ell(C') is a principal homogeneous 
space (a torsor) for the class group cl(C'): each ideal a acts on £11(0) via an isogeny 
of degree N(a), and this action factors through the class group. We may then 
identify each ideal class [a] with the image [a]j{Ei) of its action on j{Ei). This 
allows us to effectively work in the group cl(0) when computing isogenics from Ei. 

Galbraith addressed the search for an isogeny Ei — > E2 using a baby-step giant- 
step approach in [llj : a low-memory variant was later given in [12] which produces 
an exponentially long chain of low-degree isogenies. From that, a linearly long chain 
of isogenies of subexponential degree may be derived by smoothing the corresponding 
ideal in cl(0) using variants of the method of Hafner and McCurley (for instance, 



those mentioned in Section 4.2); alternatively, our low-memory algorithm can be 
used to derive a chain of low-degree isogenies with length linear in log \D\ (assuming 
our conjecture), and we believe this is the most practical approach. However, let us 
describe how our method applies naturally to the torsor Ell(O), and directly finds a 
short chain of low-degree isogenies from Ei to E2 using very little memory. 

Let Sk — AB be such that conjecture (1) holds, where A and B are roughly equal 
in size, and define C = AU B where A = 'P(^) and B — ii{V{B)). We view each 
element of as a short chain of isogenies of small prime degree ti — N(Q;i) that 
originates at Ei ; similarly, we view elements of B as chains of isogenies originating 
at i?2- Now let TT : C — >■ Ell(O) be the map that sends x ^ A (resp. x ^ B) to 
the element of Ell(O) that is the codomain of the isogeny chain defined by x and 
originating at Ei (resp. i?2)- It suffices to find a collision between an element of A 
and an element of B under the map tt: this yields an isogeny chain from Ei and an 
isogeny chain from E2 that have the same codomain. Composing the first with the 
dual of the second gives an isogeny from Ei to i?2. 

The iteration function on C can now be defined as the composition 77 o tt where 77 
is a map from Ell(O) to C that behaves like a random oracle. Using this formalism, 
our Pollard-p algorithm can be applied directly, and under the conjecture it finds an 
isogeny in time 0(ft.^/^+'^). In terms of space, it only needs to store 0(1) elements 
of cl(0) and Ell(O), which is O(logg) bits. However, in order to compute isogenies, 
modular polynomials ^i>{X, Y) might be used, each of which requires 0{t^ log€) bits. 
If we heuristically assume that £fc = 0(A:logfc) = O (log /i log log /i), the overall space 
complexity is then bounded by 0(log'^'^'^ h) = 0(log'^^' q) bits, which is polynomial 
in \ogq. This can be improved to 0(log q) bits by using the algorithm of f29^ to 
directly compute ^£{j{E),Y) in a space-efficient manner. 

5. Computations 

To test our generic low-memory algorithm for finding short product representations 
in a practical setting, we implemented black-boxes for three types of finite groups: 

(1) G = E{¥p), the elliptic curve E : y'^ ^ x^ + x + 1 over a finite field ¥p. 

(2) G = cl(0), where O is an order in an imaginary quadratic field 

(3) G = GL(2,Fp), the group of invertible 2x2 matrices over Fp. 

■^We identify O by its discriminant D and may write cl(D) instead of cl(C'). 
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To simplify the implementation, we restricted to cases where Fp is a prime field. The 
groups E{¥p) are abelian groups, either cyclic or the product of two cyclic groups. 
The groups cl(0) are also abelian, but may be highly non-cyclic (we specifically 
chose some examples with large 2-rank), while the groups GL(2,Fp) are non-abelian. 

For the groups E{¥p), we used the sequence of points S — {Pi, . . . , Pk) with 
Pi = {xi,yi), where Xi is the i^^ smallest positive integer for which + Xi + 1 is 
a quadratic residue modulo p with yi ^ {p — l)/2; our target z was the point 



Pk+i- For the groups cl(C'), we used the sequence Sk defined in Section 4.1 with 
z — [ak+i]- For the groups GL(2,Fp), we simply chose a sequence S of length k and 
a target element z at random. 

Table [T] lists performance data obtained by applying our Pollard-p algorithm 
to various groups G and sequences S of densities d = k/ log2 n ranging from just 
under 2 to slightly more than 4. Each row compares expected values with actual 
results that are averages over at least 10"^ runs. 

The parameter c counts the number of collisions — (jj^^^w) that were 

needed for a run of the algorithm to obtain a short product representation. Typically 
c is greater than 1 because not every collision yields a short product representation. 
The parameter ptot is the sum of p = i + j over the c collisions required, and 
represents a lower bound on the number of times the map was evaluated. With 
efficient collision detection, the actual number is very close to ptot (using the method 
of distinguished points we were able to stay within 1%). 

The expected values of c and ptot listed in Table [l] were computed under the 
heuristic assumption that 77 : G — >■ C and n : C ^ G are both random functions. This 
implies that while iterating cf) we are effectively performing simultaneous independent 
random walks on G and C. Let X and Y be independent random variables for 
the number of steps these walks take before reaching a collision, respectively. The 
probability that 7r(s) — 7r(i) in Step 5 is P{X ^ Y), and the algorithm then proceeds 
to find a short product representation with probability 1/2. 

Using the probability density uexp{~u^ /2)du of X/^f-ffG and Y/ we find 

E[c] = 2/P(Xs^y) = 2(l + r), 

where r = ^G/ifC. One may also compute 

E[ptot] = E[c] E[min(X, Y)] = ^27:n{l + r). 

For d > 2, we have r m for large n, so that E[c] ~ 2 and E[ptot] ~ \phm. For 
d — 2,we have E[c] =3 and E[ptot] = -s/STm (when k is even). For d < 2, the value 
of E[c] increases with n and we have E[pt,ot] = 0(n'^^^'^)/^). 

In addition to the tests summarized in Table [T] we applied our low memory 
algorithm to some larger problems that would be quite difficult to address with the 
baby-step giant-step method. Our first large test used G — E{¥p) with p = 2^° -I- 13, 
which is a cyclic group of order n = p + 1 + 1475321552477, and the sequence 
S = (Pi, . . . , Pk) with points Pi defined as above with k = 200, which gives d ~ 2.5. 
Our target element was z = P201 with x-coordinate 391. The computation was 
run in parallel on 32 cores (3.0 GHz AMD Phenom II), using the distinguished 
points method]^ The second collision yielded a short product representation after 
evaluating the map (j) a total of 1480862431620 ~ l.'ib^/n times. 



^In this parallel setting we may have collisions between two distinct walks (a A-coUision), or a 
single walk may collide with itself (a p-coUision) . Both types are useful. 
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Table 1 . Comparison of expected vs. observed values on various groups. 
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After precomputing 655360 partial products (as discussed in Section [3|, each 
evaluation of 4> used 5 group operations, compared to an average of 50 without 
precomputation, and this required just 10 megabytes of memory. The entire compu- 
tation used approximately 140 days of CPU time, and the elapsed time was about 
4 days. We obtained a short product representation for z as the sum of 67 points 
Pi with x-coordinates less than 391. In hexadecimal notation, the bit-string that 
identifies the corresponding subsequence of S is: 

542ab7dlf505bdaccdbeb6c2e92180d5f38a20493d60f031cl 

Our second large test used the group G = cl(l — 2^^*^), which is isomorphic to 

{Z/2Zf X Z/4Z X Z/8Z x Z/80894875660895214584Z, 

see [Sni Table B.4]. We used the sequence Sk with k — 200, and chose the target 
z = [a20i] with N(q;2oi) — 2671. We ran the computation in parallel on 48 cores, 
and needed 3 collisions to obtain a short product representation, which involved 
a total of 2856153808020 ~ 3. 51-^71 evaluations of cj). As in the first test, we 
precomputed 655360 partial products so that each evaluation of used 5 group 
operations. Approximately 900 days of CPU time were used (the group operation 
in cl{D) is slower than in the group E{¥p) used in our first example). We obtained 
a representative for the ideal class z as the product of 106 ideals with prime norms 
less than 2671. The bit-string that encodes the corresponding subsequence of Sk is: 
5cf854598d6059f607c6f 17b8fb56314e87314bee7df9164cd 
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